arXiv:1502.03708v2 [cs.CR] 8 Aug 2015 


PROVABLY WEAK INSTANCES OF RING-LWE 


YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANCE 


Abstract. The ring and polynomial learning with errors problems (Ring-LWE and 
Poly-LWE) have been proposed as hard problems to form the basis for cryptosystems, 
and various security reductions to hard lattice problems have been presented. So far 
these problems have been stated for general (number) rings but have only been closely 
examined for cyclotomic number rings. In this paper, we state and examine the Ring- 
LWE problem for general number rings and demonstrate provably weak instances of the 
Decision Ring-LWE problem. We construct an explicit family of number fields for which 
we have an efficient attack. We demonstrate the attack in both theory and practice, 
providing code and running times for the attack. The attack runs in time linear in q, 
where q is the modulus. 

Our attack is based on the attack on Poly-LWE which was presented in [EHL]. We 
extend the EHL-attack to apply to a larger class of number fields, and show how it 
applies to attack Ring-LWE for a heuristically large class of fields. Certain Ring-LWE 
instances can be transformed into Poly-LWE instances without distorting the error too 
much, and thus provide the first weak instances of the Ring-LWE problem. We also 
provide additional examples of fields which are vulnerable to our attacks on Poly-LWE, 
including power-of-2 cyclotomic fields, presented using the minimal polynomial of <^ 2 ^ il. 


1 . Introduction 

Lattice-based cryptography has become a very hot research topic recently with the emer¬ 
gence of new applications to homomorphic encryption. The hardness of the Ring-LWE prob¬ 
lem was related to various well-known hard lattice problems [R, MR09, 1MR04, LPR, BL-I-], 
and the hardness of the Poly-LWE problem was reduced to Ring-LWE in [LPR, DDj. The 
hardness of the Poly-LWE problem is used as the basis of security for numerous cryptosys¬ 
tems, including [BV, BGV, GHS]. The hardness of Ring-LWE was also shown [SS] to form 
a basis for the proof of security of a variant of NTRU [HPS, IEEE]. 

In [EHL], the first weaknesses in the Poly-LWE problem were discovered for classes of 
number fields satisfying certain properties. In addition, a list of properties of number fields 
were identified which are sufficient to guarantee a reduction between the Ring-LWE and 
the Poly-LWE problems, and a search-to-decision reduction for Ring-LWE. Unfortunately, 
in [EHL], no number fields were found which satisfied both the conditions for the attack 
and for the reductions. Thus [EHL] produced only examples of number fields which were 
weak instances for Poly-LWE. 

The contributions of this paper at a high level are as follows: In Section 3 we strengthen 
and extend the attacks presented in [EHL] in several significant ways. In Section 4, most 
importantly, we show how the attacks can be applied also to the Ring-LWE problem. In 
Section 5, we construct an explicit family of number fields for which we have an efficient 
attack on the Decision Ring-LWE Problem. This represents the first successful attacks 
on the Decision Ring-LWE problem for number fields with special properties. For Galois 
number fields, we also know that an attack on the decision problem gives an attack on 
the search version of Ring-LWE ([EHL]). In addition, in Section 9, we present the first 
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successful implementation of the EHL attack at cryptographic sizes and attack both Ring- 
LWE and Poly-LWE instances. For example for n = 1024 and q = 2^^ — 1, the attack runs 
in about 13 hours. Code for the attack is given in Appendix A. In Section 6 we give a more 
general construction of number helds such that heuristically a large percentage of them will 
be vulnerable to the attacks on Ring-LWE. 

In more detail, we consider rings of integers in number fields K = Q[x]/{f{x)) of degree 
n, modulo a large prime number q, and we give attacks on Poly-LWE which work when 
f{x) has a root of small order modulo q. The possibility of such an attack was mentioned 
in [EHL] but not explored further. In Sections 3.1 and 3.2, we give two algorithms for this 
attack, and in Sections 7 and 7.3 we give many examples of number fields and moduli, some 
of cryptographic size, which are vulnerable to this attack. The most significant consequence 
of the attack is the construction of the number helds which are weak for the Ring-LWE 
problem (Section 6). 

To understand the vulnerability of Ring-LWE to these attacks, we state and examine the 
Ring-LWE problem for general number rings and demonstrate provably weak instances of 
Ring-LWE. We demonstrate the attack in both theory and practice for an explicit family 
of number helds, providing code and running times for the attack. The attack runs in time 
linear in q, where q is the modulus. The essential point is that Ring-LWE instances can 
be mapped into Poly-LWE instances, and if the map does not distort the error too much, 
then the instances may be vulnerable to attacks on Poly-LWE. The distortion is governed 
by the spectral norm of the map, and we compute the spectral norm for the explicit family 
we construct in Section 5 and analyze when the attack will succeed. For the provably weak 
family which we construct, the feasibility of the attack depends on the ratio of ytqjn. We 
prove that the attack succeeds when ^Jqjn is above a certain bound, but in practice we find 
that we can attack instances where the ratio is almost 100 times smaller than that bound. 
Even for Ring-LWE examples which are not taken from the provably weak family, we were 
able to attack in practice relatively generic instances of number helds where the spectral 
norm was small enough (see Section 9). 

We investigate cyclotomic helds (even 2-power cyclotomic helds) given by an alternate 
minimal polynomial, which are weak instances of Poly-LWE for that choice of polynomial 
basis. Section 7.3 contains numerous examples of 2-power cyclotomic helds which are vul¬ 
nerable to attack when instantiated using an alternative polynomial basis, thus showing the 
heavy dependence in the hardness of these lattice-based problems on the choice of polyno¬ 
mial basis. In addition, we analyze the case of cyclotomic helds to understand their potential 
vulnerability to these lines of attack and we explain why cyclotomic helds are immune to 
attacks based on roots of small order (Section 8). Finally, we provide code in the form of 
simple routines in SAGE to implement the attacks and algorithms given in this paper and 
demonstrate successful attacks with running times (Section 9). 

As a consequence of our results, one can conclude that the hardness of Ring-LWE is 
both dependent on special properties of the number field and sensitive to the particular 
choice of q, and some choices may be signihcantly weaker than others. In addition, for 
applications to cryptography, since our attacks on Poly-LWE run in time roughly 0{q) and 
may be applicable to a wide range of helds, including even 2-power cyclotomic helds with 
a bad choice of polynomial basis, these attacks should be taken into consideration when 
selecting parameters for Poly-LWE-based systems such as [BV, BGV] and other variants. 
For many important applications to homomorphic encryption (see for example [GLN, BLN]), 
these attacks will not be relevant, since the modulus q is chosen large enough to allow for 
signihcant error growth in computation, and would typically be of size 128 bits up to 512 
bits. For that range, the attacks presented in this paper would not run. However, in other 
applications of Ring-LWE to key exchange for the TLS protocol [BCNS], parameters for 
achieving 128-bit security are suggested where n = 2^° and q = 2^^ — 1, with cr « 3, and 
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these parameters would certainly be vulnerable to our attacks for weak choices of fields and 
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2. Background on Poly-LWE 

Let f{x) be a monic irreducible polynomial in 'L[x\ of degree n, and let g be a prime such 
that f{x) factors completely modulo q. Let P = ^[x]/f{x) and let Pq = P/qP = Vq[x\/f{x). 
Let a S The uniform distribution on P ~ Z" will be denoted U. By Gaussian 

distribution of parameter a we refer to a discrete Gaussian distribution of mean 0 and 
variance on P, spherical with respect to the power basis. This will be denoted Qa- It 
is important to our analysis that we assume that in practice, elements are sampled from 
Gaussians of parameter a truncated at width 2<7. 

There are two standard Poly-LWE problems. Our attack solves the decision variant, but 
it also provides information about the secret. 

Problem 2.1 (Decision Poly-LWE Problem). Let s(x) G P be a secret. The decision Poly- 
LWE problem is to distinguish, with non-negligible advantage, between the same number of 
independent samples in two distributions on P x P. The first consists of samples of the form 
(a(x),b(x) := a(x)s(x) + e(x)) where e(x) is drawn from a discrete Gaussian distribution of 
parameter a, and a{x) is uniformly random. The second consists of uniformly random and 
independent samples from P x P. 

Problem 2.2 (Search Poly-LWE Problem). Let s(x) G P be a secret. The search Poly-LWE 
problem, is to discover s given access to arbitrarily many independent samples of the form 
(a(x),b(x) := a(x)s(x) + e(x)) where e{x) is drawn from a Discrete Gaussian of parameter 
a, and a{x) is uniformly random. 

The polynomial s{x) is called the secret and the polynomials Ciix) are called the errors. 

2.1. Parameter selection. The selection of parameters for security is not yet a well- 
explored topic. Generally parameter recommendations for Poly-LWE and Ring-LWE are 
just based on the recommendations for general LWE, ignoring the extra ring structure e.g. 
[PG, RV-I-, BCNS]. Sample concrete parameter choices have been suggested, where w is the 
width of the Gaussian error distribution (precisely, w = 

(1) = {n,q,w) = (192,4093,8.87), Plp2 = (256,4093,8.35), Plp3 = (320,4093,8.00) 
for low, medium and high security, recommended by Lindner and Peikert in [LP]; 

(2) Pgf = (n, q, w) = (512,12289,12.18) for high security used in [GF+]; 

(3) Pbcns = (n, q, w) = (1024, 2^^ —1,3.192) suggested in [BCNS] for the TLS protocol. 
Here, q = 2^^—1 was actually suggested but it is not prime. Here, the authors remark 
that q is taken to be large for correctness but could potentially be decreased. 

3. Attacks on Poly-LWE 

The attack we are concerned with is quite simple. It proceeds in four stages: 

(1) Transfer the problem to via a ring homomorphism f : Pq ^ ¥q. 

(2) Loop through guesses for the possible images (j){s{x)) of the secret. 

(3) Obtain the values (j){ei{x)) under the assumption that the guess at hand is correct. 

(4) Examine the distribution of the (fiefx)) to determine if it is Gaussian or uniform. 
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If / is assumed to have a root a = 1 mod <7 or a of small order modulo q, then this 
attack is due to Eisentraeger-Hallgren-Lauter [EHL]. 

The first part is to transfer the problem to Fq. Write f{x) = nr=i(^ ~ 
factorization of f{x) over Fg which is possible by assumption. By the Chinese remainder 
theorem, if / has no double roots, then 

n 

Pq^\{Fq[x\/{x-a{)^F:^ 

There are n ring homomorphisms 

(j): Pq^ Fq[x\/{x - Ui) ~ Fq, g{x) g{ai). 

Fix one of these, by specifying a root a = of f(x) in Fg. Apply the homomorphism to 

the coordinates of the i samples {ai{x),bi{x)), obtaining ( 0 ^( 0 ;), 

Next, loop through all g G Fg. Each value g is to be considered a guess for the value of 
s(a). For each guess g, assuming that it is a correct guess and g = s{a), then 

e^{a) = h{a) - ai{a)g = bi{a) - ai{a)s{a). 

In the case that the samples were LWE samples and the guess was correct, then this pro¬ 
duces a collection (ei(a)) of images of errors chosen according to some distribution. If the 
distributions and 4>{Qa) are distinguishable, then we can determine whether the dis¬ 

tribution was uniform or Gaussian. Note that (t>{U) will of course be uniform on Fg. If our 
guess is incorrect, or if the samples are not LWE samples, then the distribution will appear 
uniform. 

Therefore, after looping through all guesses, if all the distributions appeared uniform, then 
conclude that the samples were not LWE samples; whereas if one of the guesses worked for 
all samples and always yielded an error distribution which appeared Gaussian, assume that 
particular g was a correct guess. In the latter case this also yields one piece of information 
about the secret: g = s(a) mod q. 

The attack will succeed whenever 

(1) q is small enough to allow looping through Fg, 

( 2 ) and are distinguishable. 

Our analysis hinges on the difficulty of distinguishing (t){hl) from as a function 

of the parameters tr, n, i, q, and /. Distinguishability becomes easier when tr is smaller 
(so U and Ga are farther apart to begin with), n is smaller and q is larger (since then less 
information is lost in the map </>), and i is larger (since there are more samples to test the 
distributions). The dependence on / comes primarily as a function of its roots ai modulo 
q, which may have properties that make distinguishing easier. 

Ideally, for higher security, one will choose parameters that make distinguishing nearly 
impossible, i.e. such that 4>[Ga) appears very close to uniform modulo q. 

Example. ([EHL]) We illustrate the attack in the simplest case a = 1. Assume /(I) = 
0 mod q, and consider the distinguishability of the two distributions (piU) and (j){Ga)- Given 
{ai{x), bi{x)), make a guess 5 G Fg for the value of s(l) and compute 5^(1) — g ■ 0 ^( 1 ). If bi is 
uniform, then bi(l) — g ■ ai{l) is uniform for all g. li bi = aiS + Ci, then there is a guess g for 
which bi{l) -gai{l) = 6^(1) where ei{x) = and g = s(l). Since 6^(1) = J2’j=i 

where eij are chosen from Ga, it follows that 6 ^( 1 ) are sampled from G^a where na^ << q. 
The attack can be described loosely as follows: for each sample, test each guess g in Fg to 
see if bi{l) — g ■ 0 ^( 1 ) is small modulo q, and only keep those guesses which pass the test. 
Repeat with the next sample and continue to keep only the guesses which pass. 
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3.1. Attack based on a small set of error values modulo q. In this section, we assume 
that there exists a root a oi f such that a has small order r modulo q, that is o'" = 1 mod q. 
Then 

n—1 

6 ( 0 ) = 'y ' BiOi^ = (eo+er+e2r+’ ■ ■ )+o(ei+er+i + ’ • • ) + • • •+ 0 ^ ^(e,— i+e2r—1 + ’ ■ ■ )■ (1) 
i=0 

If r is small enough, then e(a) takes on only a small number of values modulo q. If so, then 
we can efficiently distinguish whether a value modulo q belongs to that subset. 

Let S be the set of possible values of e{a) modulo q. We assume for simplicity that n 
is divisible by r. Then the coefficients Cj + + • • • + Cn-r+j of (1) fall into a subset of 

'LlqL of size at most Aarijr. We sum over r terms, hence, = [Aan/rY residues modulo 
q. For r = 2, this becomes {2naY. 

The attack described below succeeds with high probability if j^l << q, that is 

(4crn/r)’' << q. 


Algorithm 1 Small set of error values 
Input: A collection of i Poly-LWE samples. 

Output: A guess g for s(a), the value of the secret polynomial at a; or else NOT 

PLWE; or INSUFFICIENT SAMPLES. 

The value NOT PLWE indicates that the collection of samples were definitely not 
Poly-LWE samples. 

The value INSUFFICIENT SAMPLES indicates that there were not enough samples 
to determine a single guess s(a). In this case, the algorithm may be continued on a new 
set of samples by looping the remaining surviving guesses on the new samples. 

Create an ordered list of elements of S. 

Let G be an empty list, 
for g from 0 to 9 — 1 do 

for {a{x),b{x)) in the collection of samples do 

if b{a) — ga{a) does not equal an element of S theu 
break (i.e. begin next value of g) 

append g io G (note: occurs only if the loop of samples completed without a break) 
if G is empty theu 

return NOT PLWE 
if G = {g} theu 
return g 
if #G > 1 theu 

return INSUFFICIENT SAMPLES 


Proposition 3.1. Assume that 

{Aan/rY < q. ( 2 ) 

Algorithm 1 terminates in time at most 0{iq + nq), where the O notation hides the log{q) 
factors and the implied constant depends upon r. Furthermore, if the algorithm returns 
NOT PLWE, then the samples were not valid Poly-LWE samples. If it outputs anything 
other than NOT PLWE, then the samples are valid Poly-LWE samples with probability 
1 — . In particular, this probability tends to 1 as i grows. 

Proof. As discussed above, there are at most q possible values for the elements of S under the 
assumption (2). To compute each one takes n additions per coefficient (of which there are 
r), combined with an additional r multiplications and r additions. (Here we have assumed 
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the a* have been computed; this takes r multiplications.) Each addition or multiplication 
takes time at most logg. Therefore, computing S takes time at most 0{qnr). For sorting, 
it is best to sort as S is computed; placing each element correctly takes log q time. 

The principal double loop takes time at most 0(£q). If h{a) and a{a) are precomputed, 
then for each guess g, the computation of b{a) — ga{a) only costs one multiplication and 
one subtraction modulo q (i.e. 2 log q) while it requires only log q bit comparisons to decide 
whether this is in the set S. 

In Step 4, for later samples, only guesses which were successful in the previous samples 
(i.e. gave a value which was in the set S) are considered. For a sample chosen uniformly 
at random, one expects the number of successful guesses to be roughly Thus for the 
second sample, we repeat the above test for only (#5') guesses. At the sample, retaining 
only guesses which were successful for all previous samples, we expect to test only {^^Yq 
guesses, which very quickly goes to zero. Hence, if we examine (. samples, our tolerance for 
false positives is proportional to (^)^. 

□ 

3.2. Attack based on the size of the error values. In this section, we describe the 
most general (j> : Pq ^ Vq attack on the Poly-LWE problem, one which can be carried out 
in any situation. The rub is that the probability of success will be vanishingly small unless 
we are in a very special situation. Therefore our analysis actually bolsters the security of 
Poly-LWE. 

Suppose that /(a) = 0 mod q. Let Ei be the event that bi{a) — gai{a) mod q is in the 
interval [—g/d, q/P) for some sample i and guess g for s(a) mod q. The main idea is to 
compare P{Ei \'D =U) and P{Ei \ V — Q„). liV —U, then bi{a)—gai{a) is random modulo 
q for all guesses g, that is, P{Ei \ T) = U) = \. li V = Q„, then bi{a) — s{a)ai{a) = ei{a) 
mod q. We consider 

n—1 

ei(a) = X! 

j=o 

where Cy is chosen according to the distribution (truncated at 2cr) and distinguish two 
cases: 

(1) a = ±I 

(2) a 7 ^ ±1 and a has small order r > 3 modulo q 

Case 1 (a = ±1). 

The error ei{a) is chosen according to the distribution truncated at 2(j\/n. Hence 

—2a^/n < ei(o:) < 2cry/n. 


Therefore, assuming that 

2(j\/n < 

4 

we obtain P{Ei \ V — Ga) = I for g = s(a). Hence U and Ga are distinguishable. 

Case 2 (a 7 ^ ±I and a has small order r > 3 modulo q). 

The error can be written as 

r—1 

e{a) = 'y ( CiO:* = (cq Cr ■ ■ ■) Q:(ei -b e^+i -b • • •) -b • • • -b o;’’ ^{e ,— 1 -b e 2 r—1 -b • • •) 

i=0 

where we assume that n is divisible by r for simplicity. For j = 0,-- - ,r—I, we have that 
Cj -b Cj+r -b • • • -b ej+n-r Is chosen according to the distribution G /w^. As a consequence 
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e(a) is sampled from where 




E ti 

rp 


a a 


2=0 


n ~ 1 

^—T- 

r — 1 


Hence 


\/a2’' - 1 

2i (y , 

a/t i/a^ - 1 


< e(a) 


< 2 


Therefore, assuming that 


\/ a^’' — 1 

( 7 — , 

— 1 


•v/n g 

2 “7 

- 1 4 


( 3 ) 


we obtain P{Ei \ V = Q^) = 1 for (7 = s(a), and uniform and Gaussian are distinguishable. 
Note that Hypothesis (2) implies in particular that a’' > q. 


Algorithm 2 Small error values 

Input: A collection of £ Poly-LWE samples. 

Output: A guess g for s(a); or else NOT PLWE; or INSUFFICIENT SAMPLES. 

The output INSUFFICIENT SAMPLES indicates that more samples are needed to 
make a determination. In this case, the algorithm can be continued by looping through 
remaining surviving guesses on new samples. 

Let G be an empty list, 
for g from 1 to g — 1 do 

for {a{x),b{x)) in the collection of samples do 

if the minimal residue 6 (a) — ga{a) does not lie in [—g/d, q/A) then 
break (i.e. begin next value of g) 

append g to G (note: occurs only if the loop of samples completed without a break) 
if G is empty then 

return NOT PLWE 
if G = {g} then 
return g 
if #G > 1 then 

return INSUFFICIENT SAMPLES 


In each of the two cases, we have given conditions on the size of cr under which U and Qa- 
are distinguishable and an attack is likely to succeed. We now elaborate on the algorithm 
that would be used. 

We denote by £ the number of samples observed. For each guess g mod < 7 , we compute 
bi — gui ioi i = 1,... ,£. If there is a guess g mod q for which the event Ei occurs for 
alH = !,...,£, then the algorithm returns the guess if it is unique and INSUFFICIENT 
SAMPLES otherwise; the samples are likely valid Poly-LWE samples. Otherwise, it reports 
that they are certainly not valid Poly-LWE samples. 


Proposition 3.2. Assume that we are in one of the following cases: 

(1) a = ±I and 

Sa-y/n < q. 

(2) a has small order r > 3 modulo q, and 


„ y/n Va^’’ — I 
aA - 1 


< q- 
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Then Algorithm 2 terminates in time at most 0{iq), where the implied constant is abso¬ 
lute. Furthermore, if the algorithm returns NOT PLWE, then the samples were not valid 
Poly-LWE samples. If it outputs anything other than NOT PLWE, then the samples are 
valid Poly-LWE samples with probability at least 1 — (|)^. 

Proof. The proof is as in Proposition 3.1, without the first few steps. □ 

We remark that Propositions and Algorithms 3.1 and 3.2 overlap in some cases. For 
a = ±1, Algorithm 2 is more applicable (i.e. more parameter choices are susceptible), while 
for a of other small orders. Algorithm 1 is more applicable. 

4. Moving the attack from Poly-LWE to Ring-LWE 

We use the term Poly-LWE to refer to LWE problems generated by working in a polyno¬ 
mial ring, and reserve the term Ring-LWE for LWE problems generated by working with the 
canonical embedding of a number field as in [LPR, LPR13]. In the previous sections we have 
expanded upon Eisentrager, Hallgren and Lauter’s observation that for certain distributions 
on certain lattices given by Poly-LWE, the ring structure presents a weakness. We will now 
consider whether it is possible to expand that analysis to LWE instances created through 
Ring-LWE for number fields besides cyclotomic ones. 

In particular, the necessary ingredient is that the distribution be such that under the 
ring homomorphisms of Section 3, the image of the errors is a ‘small’ subset of 'LjqL, either 
the error values themselves are small, or they form a small, identifiable subset of Z/qZ. 
Assuming a spherical Gaussian in the canonical embedding of R or RF, we describe a class 
of number fields for which this weakness occurs. A similar analysis would apply without the 
assumption that the distribution is spherical in the canonical embedding. 

Here, we setup the key players (a number field and its canonical embedding, etc.) for 
general number fields so that these definitions specialize to those in [LPR13]. There are 
some choices inherent in our setup: it may be possible to generalize Ring-LWE to number 
fields in several different ways. We consider the two most natural ways. 

4.1. The canonical embedding. Let AT be a number field of degree n with ring of integers 
R whose dual is R^. We will embed the field K in K". Note that our setup is essentially 
that of [DD], rather than [LPR13], but the difference is notational. 

Let (Ti,..., cr„ be the n embeddings of K, ordered so that CTi through are the Si real 
embeddings, and the remaining n — si = 2 s 2 complex embeddings are paired in such a way 
that ovT+fc = iTsi+s 2 +fe for fc = 1 ,..., S 2 (i-e. list S 2 non-pairwise-conjugate embeddings and 
then list their conjugates following that). 

Define a map 9 : K ^ K" given by 

6 »(r) = (cri(r),..., dsi (r), Re{as^+i{r)),..., Re{asi+S 2 (r)), Irn{asi+i (r)),..., Im{as,+S 2 (»’))) 

The image of K is the Q-span of 9{u!i) for any basis uji for K over Q. This is not the usual 
Minkowski embedding, but it has the virtues that 1) the codomain is a real, not complex, 
vector space; and 2) the spherical or elliptical Gaussians used as error distributions in 
[LPR13] are, in our setup, spherical or elliptical with respect to the usual inner product. 
We denote the usual inner product by (•, •) and the corresponding length by |a:| = (x, x). 

It is related to the trace pairing on AT, i.e. {9{r), 9{s)) = Tr(rs). 

Then R and RA form lattices in M”. 

4.2. Spherical Gaussians and error distributions. We define a Ring-LWE error dis¬ 
tribution to be a spherical Gaussian distribution in K". That is, for a parameter cr > 0, 
define the continuous Gaussian distribution function D,j : K” —>■ (0,1] by 

Dc{x) := (•\/^o')“"exp (—|a;Z/(2cr^)) . 
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This gives a distribution t|/ on if 0 K, via the isomorphism 9 to K”. By approximating 
if (g) K by if to sufficient precision, this gives a distribution on if. 

From this distribution we can generate the Ring-LWE error distribution on R, respec¬ 
tively R'^, by taking a valid discretization [tf] respectively [ik] , in the sense of [LPR13]. 
Now we have at hand a lattice, R, respectively i?'^, and a distribution on that lattice. The 
parameters (particularly a) are generally advised to be chosen so that this instance of LWE 
is secure against general attacks on LWE (which do not depend on the extra structure 
endowed by the number theory). 

4.3. The Ring-LWE problems. Write Rq := R/qR and Rq = RE/qR^. The standard 
Ring-LWE problems are as follows, where if is taken to be a cyclotomic field [LPR, LPR13]. 

Definition 4.1 (Ring-LWE Average-Case Decision [LPR]). Let s G Rq be a secret. The 
average-case decision Ring-LWE problem, is to distinguish with non-negligible advantage 
between the same number of independent samples in two distributions on Rq x Rq. The 
first consists of samples of the form (a, 6 := os -|- e) where e is drawn from y := 
and a is uniformly random, and the second consists of uniformly random and independent 
samples from Rq x Rq. 

Definition 4.2 (Ring-LWE Search [LPR]). Let s S R'^ be a secret. The search Ring-LWE 
problem, is to discover s given access to arbitrarily many independent samples of the form 
(o, b := as -\- e) where e is drawn from x '■= ® uniformly random. 

In proposing general number field Ring-LWE, one of two avenues may be taken: 

( 1 ) preserve these definitions exactly as they are stated, or 

(2) eliminate the duals, i.e. replace every instance of R'^ with R in the definitions above. 

To distinguish these two possible definitions, we will refer to dual Ring-LWE and non¬ 
dual Ring-LWE. Lyubashevsky, Peikert and Regev remark that for cyclotomic fields, dual 
and non-dual Ring-LWE lead to computationally equivalent problems [LPR, Section 3.3]. 
They go on to say that over cyclotomics, for implementation and efficiency reasons, dual 
Ring-LWE is superior. 

Generalising dual Ring-LWE to general number fields is the most naive approach, but it 
presents the problem that working with the dual in a general number field may be difficult. 
Still, it is possible there are families of accessible number fields for which this may be the 
desired avenue. 

We will analyse the effect of the Poly-LWE vulnerability on both of these candidate 
definitions. In fact, the analysis will highlight some potential differences in their security, 
already hinted at in the discussion in [LPR, Section 3.3]. 

4.4. Isomorphisms from 9{R) to a polynomial ring. Suppose K is a monogenic number 
field, meaning that R is isomorphic to a polynomial ring P = 7j[X]/ f{X) for some monic 
irreducible polynomial / (/ is a monogenic polynomial). In this case, we obtain R = yi?^, 
for some 7 S i? (here, 7 is a generator of the different ideal), so that 6{R^) and 9{R) are 
related by a linear transformation. Thus a (dual or non-dual) Ring-LWE problem concerning 
the lattice 9{R) or 6{R^) can be restated as a Poly-LWE problem concerning P. 

Let a be a root of /. Then R is isomorphic to P, via a ^ X. An integral basis for 
R is I, a, ..., An integral basis for RP is 7 “^, 7 “^a, 7 “^q:^, ..., 7 “^q:"“^. Let 

Ma be the matrix whose columns are {9{R)}. Let Mf be the matrix whose columns are 
{ 0 ( 7 “^a®)}. If V is a vector of coefficients representing some /3 S AT in terms of the basis 
{a*} for K/Q, then d{/3) = MqV. In other words, Ma '■ P (^{R) is an isomorphism (where 
P is represented as vectors of coefficients). Similarly, : P —>■ 6{R'^) is an isomorphism. 
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4.5. The spectral norm. Given an n x n matrix M, its spectral norm p = ||M ||2 is equal 
to the largest singular value of M. This is also equal to the largest radius of the image of 
a unit ball under M. This last interpretation allows one to bound the image of a spherical 
Gaussian distribution of parameter cr on the domain of M by another of parameter pa on 
the codomain of M (in the sense that the image of the ball of radius cr will map into a ball 
of radius pa after application of M). The spectral norm is bounded above by the Frobenius 
norm, which is the t' 2 -norm on the matrix entries. 

The normalized spectral norm of M is defined to be p' = ||M|| 2 /det(M)^/"'. The condi¬ 
tion number of M is k{M) = ||M|| 2 ||M“^|| 2 . 


4.6. Moving the attack from Poly-LWE to Ring-LWE. Via the isomorphism M := 
M~^ (respectively M := (M^)“^), an instance of the non-dual (respectively dual) Ring- 
LWE problem gives an instance of the Poly-LWE problem in which the error distribution 
is the image of the error distribution in 9{R) (respectively 9{R'^)). In general, this may be 
an elliptic Gaussian distorted by the isomorphism. If the distortion is not too large, then it 
may be bounded by a spherical Gaussian which is not too large. In that case, a solution to 
the Poly-LWE problem with the new spherical Gaussian error distribution may be possible. 
If so, it will yield a solution to the original Ring-LWE problem. 

This is essentially the same reduction described in [EHL]. However, those authors assume 
that the isomorphism is an orthogonal linear map; we are loosening this condition. The es¬ 
sential question in this loosening is how much the Gaussian distorts under the isomorphism. 
Our contribution is an analysis of the particular basis change. 

This distortion is governed by the spectral norm p oi M. If the continuous Gaussian in 
R" is of parameter a (with respect to the standard basis of R”), then the new spherical 
Gaussian bounding its image is of parameter pa with respect to P (in terms of the coefficient 
representation). The appropriate analysis for discrete Gaussians is slightly more subtle. 
Loosely speaking, we find that a Ring-LWE instance is weak if the following three things 
occur: 

(1) K is monogenic. 

(2) / satisfies /(I) = 0 (mod q). 

(3) p and a are sufficiently small 

The first condition guarantees the existence of appropriate isomorphisms to a polynomial 
ring; the second and third are required for the Poly-LWE attack to apply. The purpose of the 
third requirement is that the discrete Gaussian distribution in R" transfers to give vectors 
e{x) in the polynomial ring having the property that e(I) lies in the range [—q/A, q/A) except 
with negligible probability; this allows Algorithm 3.2 and the conclusions of Proposition 3.2 
to apply. 

Let us now state our main result. 


Theorem 4.3. Let K be a number field such that K = Q(/3), and the ring of integers of K 
is equal to Z[/3]. Let f be the minimal polynomial of f and suppose q is a prime such that 
f has root 1 modulo q. Finally, suppose that the spectral norm p of satisfies 


P < 


g 

A\/^an 


Then the non-dual Ring-LWE decision problem for K, q, a can be solved in time 0{£q) with 
probability 1 — 2“^, using a dataset of £ samples. 


Proof. Sampling a discrete Gaussian with parameter cr results in vectors of norm at most 
'J^a^fn except with probability at most 2“^" [LPR13, Lemma 2.8]. Considering the latter 
to be negligible, then we can expect error vectors to satisfy ||v ||2 < V^a^/n and their 
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images in the polynomial ring to satsify 

|e(l)| = ||e(x)||i < Vn||e( ai )||2 < \fnp\/‘l'Ka\pri = p\/^an. 

Therefore, if 

pV^an < ( 7 / 4 , 

then we may apply the attack of Section 3.2 that assumes /(I) = 0 (mod q) and that error 
vectors lie in [—q/d,q/d). □ 

In what follows, we find a family of polynomials satisfying the conditions of the theorem, 
and give heuristic arguments that such families are in fact very common. The other cases 
(other than 0 = 1 ) appear out-of-reach for now, simply because the bounds on p are much 
more difficult to attain. We will not examine them closely. 


4.7. Choice of a. The parameters of Section 2.1 are used in implementations where the 
Gaussian is taken over (Z/qZ)", and security depends upon the proportion of this space 
included in the ‘bell,’ meaning, it depends upon the ratio q/a. In the case of Poly-LWE, 
sampling is done on the coefficients, which are effectively living in the space (Z/qZ)", so this 
is appropriate. However, in Ring-LWE, the embedding 0{R) in M" may be very sparse (i.e. 
9{R'^) may be very dense). Still, the security will hinge upon the proportion of 9{R)/q9{R) 
that is contained in the bell. We have not seen a discussion of security parameters for 
Ring-LWE in the literature, and so we propose that the appropriate meaning of the width 
of the Gaussian, w, in this case is 

w := := •\/^crdet(Ma)^^", (4) 

where a' is defined by the above equality. The reason for this choice is that 9{K) has 
covolume det(MQ); a very sparse lattice (corresponding to large determinant) needs a cor¬ 
respondingly large a so that the same proportion of its vectors lie in the bell. 

If p represents the spectral norm of M~^ (which has determinant det(MQ)“^), then 

p' := p det(Ma)^^"' 


is the normalized spectral norm. Therefore pju = p'jo'. 
becomes 

^ Awn 


Hence the bound of Theorem 4.3 

( 5 ) 


5. PROVABLY WEAK RiNG-LWE NUMBER FIELDS 
Consider the family of polynomials 

fn,q{x) =X^ +q - I 

for q a prime. These satisfy /(I) = 0 (mod q). By the Eisenstein criterion, they are 
irreducible whenever <7 — 1 has a prime factor that appears to exponent 1. These polynomials 
have discriminant [M] given by 

(-l)^n”(g- l)"-i. 

Proposition 5.1. Let n be power of a prime £. Ifq—1 is squarefree and \ ((1—< 7 )" —(1—< 7 )) 
then the polynomials fn,q are monogenic. 


Proof. This is a result of Gassert in [G, Theorem 5.1.4]. As stated. Theorem 5.1.4 of [G] 
requires £ to be an odd prime. However, for the monogenicity portion of the conclusion, the 
proof goes through for p = 2 . □ 
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Proposition 5.2. Suppose that fn,q is irreducible, and the associated number field has 
r 2 complex embeddings. Then r 2 = r/2 or {n — l)/2 (whichever is an integer), and the 
normalized spectral norm of M~^ is exactly 


Proof. Let a be a positive real n-th root of q — 1. Then the roots of the polynomial are 
exactly fo'' J odd such that 1 < j < 2n. The embeddings take aC, 2 n to each of the other 
roots. There is ri = 1 real embedding if n is odd (otherwise ri =0), and the rest are r 2 
complex conjugate pairs, so that n = ri + 2 r 2 . Then the dot product of the r-th and s-th 
columns of M~^ is 


n—1 

E' 


y+s a(’'— s)( 2 fe+l) _ n 

' S2ti ~ O 


fc =0 

Therefore, the columns of the matrix are orthogonal to one another. Hence, the matrix is 
diagonalizeable, and its eigenvalues are the lengths of its column vectors, which is for the 
r-th column. 



= 'Jna 


Therefore the smallest singular value of is y/n and the largest is ^/naT~^. Correspond¬ 
ingly, the largest singular values of M~^ is Ij^/n. 

A standard result of number theory relates the determinant of to the discriminant of 
K via 

det(M„) = 2 “’'= -^disc(/„,q), 

where 7’2 < ^ is the number of complex embeddings of K. Combining the smallest singular 
value with this determinant (the discriminant is given explicitly at the beginning of this 
section) gives the result. □ 


Theorem 5.3. Suppose q is prime, n is an integer and f = fn,q satisfies 

(1) n is a power of a prime p, 

(2) q — 1 is square free, 

(3) p^\i{l-qr-il-q)), 

(4) we have t > 1 , where 

q 

T := ——-. 

2\/2wn{q — 1)2 2 ™ 

Then the non-dual Ring-LWE decision problem for f and w (defined by (4)^ can be solved 
in time 0{iq) with probability 1 — 2 “^, using a dataset of £ samples. 

Proof. Under the stated conditions, / has a root 1 modulo q, and therefore Poly-LWE 
is vulnerable to the attack specified in Algorithm 2. The other properties guarantee the 
applicability of Theorem 4.3 via Proposition 5.1 and 5.2. □ 


Under the assumption that <7 — 1 is infinitely often squarefree, this provides a family of 
examples which are susceptible to attack (taking, for example, n as an appropriate power 
of 2; note that in this case item (3) is automatic). 

Interestingly, their susceptibility increases as q increases relative to n. It is the ratio 
,fq/n, rather than their overall size, which controls the vulnerability (at least as long as q 
is small enough to run a loop through the residues modulo q). 

The quantity r can be considered a measure of security against this attack ; it should be 
small to indicate higher security. For the various parameters indicated in Section 2.1, the 
value of r is: 
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parameters 

Plpi 

PlP2 

PlP3 

Pgf 

Pbcns 

T 

0.0136 

0.0108 

0.0090 

0.0063 

5.0654 


The bound on r in Theorem 5.3 is stronger than what is required in practice for the 
attack to succeed. In particular, the spectral norm of the transformation M~^ does not 
accurately reflect the average behaviour; it is worst case. As n increases, it is increasingly 
unlikely that error samples happen to lie in just the right direction from the origin to be 
inflated by the full spectral norm. Furthermore, we assumed in the analysis of Theorem 4.3 
an overly generous bound on the error vectors. 

The proof is in the pudding: in Section 9 we have implemented several successful attacks. 

6 . Heuristics on the prevalence of weak Ring-LWE number fields 

In this section, we argue that many examples satisfying Theorem 4.3 are very likely to 
exist. In fact, each of the individual conditions is fairly easy to attain. We will see in what 
follows that given a random monogenic number field, there is with significant probability 
at least one prime q for which Ring-LWE is vulnerable (i.e. the bound (5) is attained) for 
parameters comparable to those of Pbncs- Note that in this parameter range, the spectral 
norm is expensive to compute directly. 

6.1. Monogenicity. Monogenic fields are expected to be quite common in the following 
sense. If / of degree n > 4 is taken to be a random polynomial (i.e. its coefficients are 
chosen randomly), then it is conjecturally expected that with probability > 0.307, P will 
be the ring of integers of a number field [K]. In particular, if / has squarefree discriminant, 
this will certainly happen. Furthermore, cyclotomic fields are monogenic, as are the families 
described in the last section. 

However, at degrees n ~ the discriminant of / is too large to test for squarefreeness, 
so testing for monogenicity may not be feasible. Kedlaya has developed a method for 
constructing examples of arbitrary degree [K]. 

6.2. Examples, n = 2^°, q ^ 2^^. Consider the following examples: 

f[x) = -k (2^1 -h 14)a: -k , q = 4294967311, 
f{x) = (2^1 -p 2^0 22)x + (2^1 -p 2^0), q = 6442450967, 

fix) = + (2^1 2^0 -h 29)a: -k (2^1 -h 2^0 -p 5), q = 6442450979. 

These examples are discussed at greater length in Section 7.2, where the method for 
constructing them is explained. In each case, /(I) = 0 (mod q). 

In this size range, we were not able to compute the spectral norm of K directly in 
a reasonable amount of time. In the next few sections we will make persuasive heuristic 
arguments that it can be expected to have p' well within the required bound (5), i.e. p' < 2^^. 
That is, we expect these examples and others like them to be vulnerable. 

6.3. Heuristics for the spectral norm. In this section, we will bound the normalized 
spectral norm by a multiple of the condition number. Then, for polynomials of the form 
x'^ + ax + b, we will argue heuristically that this is frequently small. 

Let us recall a standard result of number theory. For a number field K with ri real 
embeddings and r 2 conjugate pairs of complex embeddings, the determinant of the canonical 
embedding is 

det(M/) = (6) 

Under the assumption that Z[X]//{X) is indeed a ring of integers, Ak = Disc(/). The 
condition number fc(My) satisfies 

fc(M/) = ||M 7 i|| 2 ||M/|| 2 , 


(7) 
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while the normalized spectral norm is 

p' =\\My%det{Mf)^/^. ( 8 ) 

We wish to show that 

p' < 2k{Mf). 

To that end, we combine (7) and (8): 


P' 


2\\Mf\\2 

det(M/)i/” 


> 2det(M/)^/’" = > 1. 


Now restrict to polynomials of the form f{x) = + ax + b. The condition number of 

Mf is hard to access theoretically, but heuristically, for random perturbations of any fixed 
matrix, most perturbations are well-conditioned (having small condition number) [TV]. The 
matrix My is a perturbation of Mp for p = a;" -I- 1. The extent of this perturbation can 
be bounded in terms of the coefficients a and b, since the perturbation is controlled by 
the perturbation in the roots of the polynomial. It is a now-standard result in numerical 
analysis, due to Wilkinson, that roots may be ill-conditioned in this sense, but the condition 
number can be bounded in terms of the coefficients a and b. This implies that, heuristically, 
k{Mf) is likely to be small quite frequently. 

In conclusion, we expect to find that many f{x) will have p' quite small. 


6.4. Experimental evidence for the spectral norm. We only ran experiments in a small 
range due to limitations of our Sage implementation ([S]). The polynomials + ax + b, 
—60 < a, 5 < 60 were plotted on a max{a, 6}-by-p' plane. The result is as follows: 



There are some examples with quite high p', but the majority cluster low. The grey line 
is y = ^Jx. Therefore, we may conjecture based on this experiment, that we may expect to 
find plenty of / satisfying p' < ^/max{a^. 

Experimentally, we may guess that the examples of Section 6.2, for which n = 2^° and 
max{a, 6} < 2^°, will frequently satisfy p' < 2^^, which is the range required by Theorem 
4.3. (Note that the coefficients cannot be taken smaller if / is to have root 1 modulo a 
prime q 2^^.) 
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7. Weak Poly-LWE number fields 

7.1. Finding / and q with roots of small order. It is relatively easy to generate poly¬ 
nomials / and primes q for which / has a root of given order modulo q. There are two 
approaches: given /, find suitable q; and given q, find suitable /. Since there are other 
conditions one may require for other reasons (particularly on /), we focus on the first of 
these. 

Given /, in order to find q such that / has a root of small order (this includes the cases 
a = ±1), the following algorithm can be applied. 


Algorithm 3 Finding primes q such that f{x) has a root of small order modulo q 
Input: A non-cyclotomic irreducible polynomial f{X) € Z[A]; and an integer m > 1. 
Output: A prime q such that f{X) has a root of order m modulo q. 

(1) Let ^rn{X) be the cyclotomic polynomial of degree m. Apply the extended 
Euclidean algorithm to f{X) and ^rn{X) over the ring Q[A] to obtain a(A), b{X) 
such that 

a{X)f{X) + b{X)^^{X) = l. 

(Note that 1 is the GCD of f{X) and ^^{X) by assumption.) 

(2) Let d be the least common multiple of all the denominators of the coefficients of a 
and b. 

(3) Factor d. 

(4) Return the largest prime factor of d. 


It is also possible to generate examples by first choosing q and searching for appropriate 
/. For example, taking f{x) = ^m{x)g{x) + q where g{x) is monic of degree m — n suffices. 
Both methods can be adapted to find / having any specified root modulo q. 

7.2. Examples, n ^ 2^°, q ~ 2^^. For the range n ^ 2^°, we hope to find q ~ 2^^. 
Examples were found by applying Algorithm 3 to polynomials f{x) of the form x^ + ax + b 
for a, b chosen from a likely range. Examples are copious and not difficult to find (see 
Appendix A.2 for code). 

Case a = I. A few typical examples of irreducible / with 1 as a root modulo q are: 

fix) = + (2^1 -p U)x + q = 4294967311, 

fix) = (2^1 -h 2^0 -p 22)x + (2^1 -p 2^0), q = 6442450967, 

fix) = -k (2^1 -p 2^0 -h 29)a: -k (2^1 -h 2^0 -p 5), q = 6442450979. 

These examples satisfy condition 1 of Proposition 3.2 with cr = 3, hence are vulnerable. 
Case a = — 1. Here is an irreducible / with root —1: 

fix) = (2^1 -p 9)x - (2^1 -h 7), q = 4294967311 - 2^^. 

This example similarly satisfies condition 1 of Proposition 3.2 and so is vulnerable. 

Case a small order. Here is an irreducible / with a root of order 3: 

fix) = + (2^® -h 2)x - 2^®, q = 1099514773507 ~ 2^°. 

This example has q ^ 2^°; taking this larger q allows us to satisfy (2) of Proposition 3.1 and 
hence it is vulnerable to Algorithm 1. 
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7.3. Examples of weak Poly-LWE number fields with additional properties. In 

this section we will give examples of number fields K = Q[x]/{f{x)) which are vulnerable 
to our attack on Poly-LWE. They will be vulnerable by satisfying one of the following two 
possible conditions: 

R: /(I) = 0 (mod q). 

R': / has a root of small order modulo q. 

We must also require: 

Q: The prime q can be chosen suitably large. 

The examples we consider are cyclotomic fields and therefore Galois and monogenic. 
One should note that guaranteeing these two conditions together is nontrivial in general. 
In addition to these, there are additional conditions for the attack explained in [EHL]. The 
desirable conditions are: 

G: K is Galois. 

M: if is monogenic. 

S: The ideal (g) splits completely in the ring of integers R of K, and q] [R '■ 

Z[/3]]. 

O: The transformation between the canonical embedding of K and the power 
basis representation of K is given by a scaled orthogonal matrix. 

Conditions G and S are needed for the Search-to-Decision reduction and Conditions M 
and O are needed for the Ring-LWE to Poly-LWE reduction in [EHL]. 

Note that checking the splitting condition for fields of cryptographic size is not compu¬ 
tationally feasible in general. However, we are able to give a sufficient condition for certain 
splittings which is quite fast to check. 

Proposition 7 . 1 . Using the notation as above, if f (2) = 0 mod q then q splits in R. 

Proof. Since 2^ = —1 (mod q), it follows that (2“)^ = (—1)“ = —1 (mod q) for all 

odd a in Z. We’ll show that 2, 2^, 2®,..., 2”’' where m = 2* — 1 are all distinct mod q, 
hence showing that f{x) has 2 *“^ distinct roots mod q i.e. f{x) splits mod q. Assume that 
2® = 2^ (mod q) for some 1 < i < j < 2^ — 1. Then = 1 (mod g), which means that 
the order of 2 modulo g divides j — i. However, by the fact below (Lemma 7.2), the order 
of 2 mod g is 2 ^, which is a contradiction since j — i < 2^. □ 

Lemma 7 . 2 . Let q be a prime such that 2^ = — 1 (mod g) for some integer k. Then the 

order of 2 modulo q is 2^. 

Proof. Let a be the order of 2 modulo g. By assumption (2^^ = 2^*" = 1 (mod g). Then 

a|2^ i.e. a = 2“ for some a < k. Say a < k — l. Then 1 = (2^ =2^ = —1 (mod g), 

a contradiction. □ 

The converse of Proposition 7.1 does not hold. For instance, let K be the splitting field 
of the polynomial x^ + 1 and g = 401. Then g splits in R. However /(2) = 257 ^ 0 (mod g). 

We now present a family of examples for which a = —1 is a root of / of order two. 
Gonditions G, M, S, R' (order 2) and Q are all satisfied. The field K is the cyclotomic 
number field of degree ^( 2 ^) = 2 ^“^, but instead of the cyclotomic polynomial we take the 
minimal polynomial of ^ 2 '= + 1- In each case, g is obtained by factoring 2^ -|-1 for various 

values of k and splitting is verified using Proposition 7.1. 


k 

2 

3 

4 

5 

6 

7 

7 

8 

8 

q 

5 

17 

257 

65537~ 256 

6700417 ~ 222 

274177 ~ 258 

95 ~ 245 

ge ~ 255 

gi 2^2 

k 

9 

9 

10 

10 

10 

11 

11 

11 

q 

gr - 2^0 

g2 2205 

2424833~ 2^1 

^ 0162 
QS ^ Z 

g4 - 2328 

gs 225 

gg 232 

^ 9131 

gio ~ Z 
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Several of these examples are of cryptographic size^, i.e. the field has degree and 
the prime is of size ~ 2^^ or greater. These provide examples which are weak against our 
Poly-LWE attack, by Proposition 3.2. 

8. Cyclotomic (in)vulnerability 

One of our principal observations is that the cyclotomic fields, used for Ring-LWE, are 
uniquely protected against the attacks presented in this paper. The next proposition states 
that the polynomial ring of the m-th cyclotomic polynomial will never be vulnerable to 
the attack based on a root of small order. 

Proposition 8.1. The roots of have order m modulo every split prime q. 

Proof. Consider the field F^, q prime. Since is perfect, the cyclotomic polynomial 
has roots in an extension of F,j. This polynomial has no common factor with — 1 

for k < m. However, it divides — 1. Therefore its roots have order dividing m, but not 
less than m. That is, its roots are all of order exactly m in the field in which they live. 

Now, if we further assume that splits modulo q, then its (j){m) roots are all elements 

of order m modulo q, so in particular, m \ q — 1. The roots of ^rn{x) are all elements of 
'LjcfL of order exactly m. □ 

The question remains whether there is another polynomial representation for the ring of 
cyclotomic integers for which / does have a root of small order. This may in fact be the 
case, but the error distribution is transformed under the isomorphism to this new basis, so 
this does not guarantee a weakness in Poly-LWE for 

However, it is not necessary to search for all such representations to rule out the possibility 
that this provides an attack. The ring Rq = F” has exactly n = (/>(m) homomorphisms to 
'LjcfL. If Rq can be represented as {fLjqLffX^jf {X) with /(a) = 0, then the map Rq —> 'LjcfL 
is given by p i-A- pip) is one of these n maps. It suffices to write down these n maps (in 
terms of any representation!) and verify that the errors map to all of 'LlqL instead of a small 
subset. It is a special property of the cyclotomics that these n homomorphisms coincide. 

Thus we are reduced to the case above. 

9. Successfully coded attacks 

The following table documents Ring-LWE and Poly-LWE parameters that were success¬ 
fully attacked on a Thinkpad X220 laptop with Sage Mathematics Software [S], together 
with approximate timings. For code, see Appendix A. The first row indicates that crypto¬ 
graphic size is attackable in Poly-LWE. The second row indicates that a generic example 
attackable by Poly-LWE is also susceptible to Ring-LWE (see Section 6). We were unable 
to test the Ring-LWE attack for n > 256 only because Sage’s built-in Discrete Gaussian 
Sampler was not capable of initializing (thus we were unable to produce samples to test). 

The last two rows illustrate the t of Theorem 4.3 that is required for security in practice 
(approximately t < 0.013 instead of r < 1 in theory). Note that these two rings are non- 
maximal orders (g — 1 is not squarefree). In the Ring-LWE rows, parameters were chosen to 
illustrate the boundary of feasibility for a fixed n. Since the feasibility of the attack depends 
on the ratio ^.fqln, there is no reason to think larger n are invulnerable (provided q also 
grows), but we were unable to produce samples to test against. The Poly-LWE example 
illustrates that runtime for large q is feasible (runtimes for Poly-LWE and Ring-LWE are 
the same; it is only the samples which differ). 

Si = 5704689200685129054721,92 = 93461639715357977769163558199606896584051237541638188580280321, 

93 = 7455602825647884208337395736200454918783366342657,95 = 67280421310721,96 = 59649589127497217 

94 = 741640062627530801524787141901937474059940781097519023905821316144415759504705008092818711693940737 
97 = 1238926361552897, qs = 45592577, 99 = 6487031809, 910 = 4659775785220018543264560743076778192897 
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case 

/ 

q 

w 

T 

samples 
per run 

successful 

runs 

time 
per run 

Poly-LWE 

^1024 + 231-2 

231-1 

3.192 

N/A 

40 

1 of 1 

13.5 hrs 

Ring-LWE 

a;i28^524288a: 

-1-524285 

524287 

8.00 

N/A 

20 

8 of 10 

24 sec 

Ring-LWE 

xi92 + 4092 

4093 

8.87 

0.0136 

20 

1 of 10 

25 sec 

Ring-LWE 

-H 8190 

8191 

8.35 

0.0152 

20 

2 of 10 

44 sec 
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Appendix A. Appendix; Code 

A.l. Proof of concept for Ring-LWE and Poly-LWE attacks. The following Sage 
Mathematical Software [S] code verifies that Algorithm 2 succeeds on the Poly-LWE and 
Ring-LWE examples of Section 9. Note that Algorithm 1 is a minor modification of Algo¬ 
rithm 2. 

This code relies on DiscreteGaussianDistributionLatticeSampler, a built-in package 
in Sage. The sampler is incapable of initializing in sufficiently large dimension to fully test 
the attacks in this paper. See the related trac ticket http://trac.sagemath.org/ticket/ 
17764. 

Built into the code are several error checks that will be triggered if sufficient precision is 
not used. 

This code is available in electronic form at http: //math. Colorado. edu/~kstcaige/scripts 
html. 

################################################## 

# RING-LWE ATTACK # 

################################################## 

# General preparation of Sage: Create a polynomial ring and import GaussieinSampler, Timer 
P.<y> = PolynomialRing(RationalField(), ^y’) 

from sage.stats.distributions.discrete_gaussiaii_lattice import DiscreteGaussiauDistributionLatticeSampler 
RP = RealField(300) # this sets the precision; if it is insufficient, the implementation won’t be valid 
from sage.doctest.util import Timer 

# Give the Minkowski lattice for a given ring determined by a polynomial. 

# Also gives a key to which are real embeddings. 

def cmatrixO: # returns a matrix, columns basis 1, x, x'‘2, x^S, ... given in the canonical embedding 
global N, a 
N.<a> = NumberFieldCf) 
fdeg = f.degree 0 

key = [0 for i in rcinge(fdeg)] # 0 = real, 1 = real part of complex emb, 2 = imaginary part 
embs = N.embeddings(CC) 

M = matrix(RP,fdeg,fdeg) 

print "Preparing cin embedding matrix: computing powers of the root." 
apows = [ a^j for j in rcinge(n) ] 

print "Finished computing the powers of the root." 
i = 0 

while i < n: 

em = embs [i] 

if Mod(i,20)==ModC0,20) or Mod(i,20)==Mod(l,20): 

print "Embedding matrix: ", i, " rows out of ", n, " complete." 
if em(a).imag() == 0: 
key[i] = 0 
for j in range(n): 

M[i,j] = emCapows[j]) .real0 


20 


YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANCE 


i = i + 1 
else: 

key[i] = 1 
key[i+l] = 2 
for j in range(n): 

MCi,j] = emCapows[j]) .real0 
M[i+l,j] = (emCapows[j])*1).real0 
i = i + 2 
return M, key 

# Produce a random vector from (Z/qZ)'‘n 
def random_vec(q, dim): 

return vectorC[ZZ.rcindom_element(0,q) for i in range(dim)]) 

# Useful function for real numbers modulo q 
def modq(r,q): 

s = r/q 

t = r/q - floor(r/q) 
return t*q 

# Call sampler 

def call_sampler0; 

e = sampler 0.change_ring(RP) 
return e 

# Create samples using a lattice (given by latmat and its inverse), 

# a Gaussian sampler on that lattice, secret, prime 
def get_sample(latmat, latmatinv, sec, qval, keyval): 

e = call_sampler() # create error, in R~n 

dim = latmat.dimensions 0[0] # detect dimension of lattice 

pre_a = random_vec(qval, dim) # create a uniformly reindomly in terms of basis in cm 
a = latmat*pre_a # create a, in R^n 

b = vecmul_poly(a,sec,latmat,latmatinv) + e # create b, in R~n 
pre_b = latmatinv*b # move to basis in cm in order to reduce mod q 
pre_b_red = vectorC[modq(c,qval) for c in pre_b]) 
b = latmat*pre_b_red 
return [a, b] 

# Global choices: setup a field and prime, sampler. 

# Set to dummy values that will be altered when an attack is run 
q = 1 

n = 1 

sig = l/sqrt(2*pi) 

Zq = IntegerModRing(q) 

R. <x> = PolynomialRing(Zq) 
f = y + 1 

N.<a> = NumberFieldCf) 

S. <z> = R.quotient(f) # This is P_q 
cm, key = cmatrixO 

cmi = cm.inverseO 
cm 

cm53 = cm.change_ring(RealField(10)) 
cmqq = cm53.change_ring(QQ) 

sampler = DiscreteGaussianDistributionLatticeSamplerCcmqq.transpose(), sig) 

# Set the parameters for the attack 
def setup_params(fval,qval,sval): 

global q,n,sig,f,S,x,z,Zq 
f = fval 
n = f.degree 0 
q = qval 

Zq = IntegerModRing(q) 

R. <x> = PolynomialRing(Zq) 
sig = sval/sqrt(2*pi) 

S. <z> = R.quotientCf) 

print "Setting up parameters, polynomial = ", f, " cind prime = ", q, " and sigma = ", sig 

print "Verifying properties: " 

print "Prime?", q.is_prime() 

print "Irreducible? ", f.is_irreducible() 

print "Value at 1 modulo q?", Mod(f.subs(y=l),q) 

return True 

# Compute the lattices in Minkowski space 
def prepare_matrices0: 

global cm, key, cmi, cmqq 
print "Preparing matrices." 
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cm, key = cmatrixO 

print "Embedding matrix prepared." 

cmi = cm.inverseO 

print "Inverse matrix found." 

cm53 = cm.change_ring(RealField(10)) 

cmqq = cm53.change_ring(QQ) 

print "All matrices prepared." 

return True 

# Make a vector in R~n into a polynomial, given change of basis matrix cind variable to use 
def make_poly(a,matchange,var): 

coeffs = matchange*a #coefficients of the polynomial are given by the change of basis matrix 
pol = 0 

for i in range(n): 

pol = pol + ZZ(round(coeff s [i]))*var''i # var controls where it will live (what poly ring) 
return pol 

# Make a polynomial into a vector in Minkowski space 
def make_vec(fval,matchange): 

if fval == 0: 

coeffs = [0 for i in range(n)] 
else: 

coeffs = [0 for i in range(n)] 
colist = lift(fval).coefficientsO 
for i in range(len(colist)): 
coeffs [i] = ZZ(colist[i]) 
return matchange*vector(coeffs) 

# Multiplication in the Minkowski space via moving to polynomial ring 
def vecmul_poly(u,v,mat,matinv): 

poly_u = make_poly(u,matinv,z) 
poly_v = make_poly(v,matinv,z) 
poly_prod = poly_u*poly_v 
return make_vec(poly_prod,mat) 

# Create the sampler on the lattice embedded in R^n 
def initiate_sampler0: 

global sampler 

print "Initiating Sampler." 

sampler = DiscreteGaussianDistributionLatticeSampler(cmqq.transpose(), sig) 
print "Sampler initiated with sigma", RDF(sig) 
return True 

# Produce error vectors, just a test to see how they look 
def error_test(num): 

print "Testing the error vector production by producing ", num, " errors." 
errorlist = [samplerO .normO .n() for _ in range(num)] 
meannorm = mecin(errorlist) # average norm 
maxnorm = max(errorlist) # maximum norm 

print "The average error norm is ", RDF(meannorm/( sqrt(n)*sampler.sigma*sqrt(2*pi) )), " times sqrt(n)*s. 
maxratio = RDF(maxnorm/( sqrt(n)*sampler.sigma*sqrt(2*pi) )) 
print "The maximum error norm is ", maxratio, " times sqrt(n)*s." 
if maxratio > 1: 

print " ERROR " 

print "The errors do not satisfy a proven upper bound in noim." 
return True 

# Create the secret 
secret = 0 

def create_secret0: 
global secret 

secret = cm*rcindom_vec (q,n) 
return True 

# Produce samples 
samps = [] 
numsamps = 1 

def create_samples(numsampsval): 
global samps, numsamps 
samps = [] 

print "Creating samples" 
for i in range(numsampsval): 

print "Creating sample number ", i 
samp = get_sample(cm, cmi, secret, q, key) 
samps.append(samp) 
numsamps = len(samps) 
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print "Done creating ", numsamps, "samples." 
return True 

# Function for going down to q 
def go_to_q(a,matchcinge) : 

pol = make_poly(a,matchange,x) 

#print "debug got pol:", pol 
pol_eval = pol.subs(x=l) 

#print "debug eval’d to:", pol_eval, " and then ", Zq((pol_eval)) 
return Zq(pol_eval) 

# Check to make sure moving to q preserves product — the last two lines should be equal 
def sanity_check(): 

print "Initiating sanity check" 
mat = cmi 

pvecl = random_vec(q,n) 
vecl = cm*pvecl 
pvec2 = random_vec(q,n) 
vec2 = cm*pvec2 

vprod2 = vecmul_poly(vecl,vec2,cm,cmi) 
first_thing = go_to_q(vprod2,mat) 

second_thing = go_to_q(vecl,mat)*go_to_q(vec2,mat) 
if first_thing == second_thing: 

print "Sanity confirmed." 
else: 

print " ERROR " 

print "Sanity problem:", first_thing, " is not equal to ", second_thing, "." 
print "Are you sure your ring has root 1 mod q?" 
return True 

# Given a list of elements of Z/qZ, make a histogram and zero count 
def histoq(data): 

hist = [0 for i in ramgeClO)] # empty histogram 
zeroct=0 # count of zeroes mod q 
for datum in data: 
e = datum 
if e == 0: 

zeroct = zeroct+1 
histbit = floor(ZZ(e)*10/q) 
hist [histbit]=hist[histbit]+1 
return [hist, zeroct] 

# Given a list of vectors in R^n, create a histogram of their 

# values in Z/qZ under make_poly, together with a zero count 
def histo(data,cmi): 

return histoqC[go_to_q(datum,cmi) for datum in data]) 

# Create a histogram of error vectors, transported to polynomial ring 
def histogram_of.errors0: 

print "Creating a histogram of errors mod q." 
errs = [] 

for i in range(80): 

errs.append(sampler()) 
hist = histo(errs,cmi) 

print "The number of error vectors that are zero:", hist[l] 
bar.chart(hist[0], width=l).show(figsize=2) 
return True 

# Create a histogram of the a’s in the samples, transported to polynomial ring 
def histogram.of_as0: 

print "Creating a histogram of sample a’s mod q." 
a.vals = [samp[0] for samp in samps] 
hist = histo(a.vals,cmi) 

print "The number of a’s that are zero:", hist[l] 
bar.chart(hist[0], width=l).show(figsize=2) 
return True 

# Create a histogram of errors by correct guess 
def histogram.of_errors_20: 

print "Creating a histogram of supposed errors if sample is guessed, mod q." 

hist = histoq([ lift(Zq(go_to_q(sample[1],cmi) - go_to_q(sample[0],cmi)♦go_to_q(secret,cmi))) for sample in samps]) 
print "The number of such that are zero:", hist[l] 
bar.chart(hist[0], width=l).show(figsize=2) 
return True 


# Create the secret mod q 
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lift_s = 0 
def secret_mod_q(): 
global lift_s 

lift_s = go_to_q(sGcret,cmi) 

print "Storing the secret mod q. The secret is ", secret, " which becomes ", lift_s 
return True 

# Algorithm 2 

# reportrate controls how often it updates the status of the loop; larger = less frequently 

# quickflag = True will run only the secret and a few other values to give a quick idea if it works 
def alg2(reportrate, quickflag = False): 

print "Beginning algorithm 2." 
numsamps = len(samps) 
a = [ 0 for i in range(numsamps)] 
b = [ 0 for i in range(numsamps)] 
print "Moving samples to F_q." 
for i in range(numsamps): 
sample = samps [i] 

=i[i] = go_to_q(sample[0] ,cmi) 
b[i] = go_to_q(sample[1],cmi) 
possibles = [] 
winner = [[],0] 

print "Samples have been moved to F_q." 
for i in range(2): 
if i == 0: 

print "!!!!! ROUND 1: ! ! ! ! ! First, checking how many samples the secret survives (peeking ahead). 
iterat = [lift_s] 
if i == 1: 

print "!!!!! ROUND 2: ! ! ! ! ! Now, running the attack naively." 
possibles = [] 
if quickflag: 

print "We are doing it quickly (not a full test)." 
iterat = xrange(lOOO) 
else: 

iterat = xrange(q) 
for g in iterat: 

if Mod(g,reportrate) == Mod(0,reportrate): 

print "Currently checking residue ", g 
g = Zq(g) 
potential = True 
ctr = 0 

while ctr < numsamps eind potential: 

e = abs(lift(Zq(b[ctr]-g*a[ctr]))) 
if e > q/4 and e < 3*q/4: 
potential = False 
if ctr == winner [1]: 

winner[0].append(g) 

print "We have a new tie for longest chain:", g, " has survived ", ctr, " rounds." 
if ctr > winner [1]: 

winner = [[g],ctr] 

print "We have a new longest chain of samples survived:", g, " has survived ", ctr, " 
ctr = ctr + 1 
if potential == True: 

print "We found a potential secret: ", g 
possibles.append(g) 
if g == lift_s: 
if i == 0; 

print "The real secret survived ", ctr, "samples." 

#break 

print "Full list of survivors of the ", numsamps, " samples:", possibles 
print "The real secret mod q was: ", lift_s 
if len(possibles) == 1 and possibles[0] == lift_s: 
print "Success!" 
return True 
else: 

print "Failure!" 
return False 

# Run a simulation. 

def shebcing(fval,qval,sval,numsampsval,numtrials,quickflag=False): 
global sig 

print "Welcome to the Ring-LWE Attack." 
n = fval.degree 0 

print "The attack should theoretically work if the following quantity is greater than 1." 
print "Quantity: ", RDF( qval/( 2*sqrt(2)*sval*n*(qval-1)^( (n-l)/2/n) ) ) 
timer = TimerO 


rounds. 
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timer2 = TimerO 
timer. stairt () 

print "********** PHASE 1: SETTING UP SYSTEM " 
setup_parains (f val, qval, sval) 
prepare_matrices() 

print "Computing the adjustment factor for s." 
cembs = (n - len(N.embeddings(RR)))/2 

detscale = RP( ( 2"'(-cembs)*sqrt(abs(f.discriminant())) )''(l/n) ) # adjust the sigma,s 
sval = sval*detscale 
sig = sig*detscale 

print "Adjusted s for use with this embedding, result is ", sval 
initiate_sampler() 

print "The sampler has been created with sigma = ", sampler.sigma 

print "Sampled vectors will have expected norm ", RDF(sqrt(n)*sampler.sigma) 

error_test(5) 

print "Time for Phase 1: ", timer.stopO 
timer. stairt () 
count_successes = 0 
timer2.start() 

for trialnum in rainge(numtrials): 

print TRIAL NUMBER ", trialnum, 

print ''*♦*♦****** PHASE 2: CREATE SECRET AND SAMPLES" 

create_secret 0 

create_samples(numsampsval) 

sanity_check() 

print "Time for Phase 2: ", timer.stopO 
timer.start() 

print ''*♦*♦****** PHASE 3: HISTOGRAMS" 
histogram_of.errors 0 

print "The histogram of errors (above) should be clustered at edges for success." 
histogram.of_as 0 

print "The histogram of a’s (above) should be fairly uniform." 
histogram.of.errors_2() 

print "The histogram of sample errors (above) should be clustered at edges for success." 
print "Time for Phase 3: ", timer.stopO 
timer.start() 

print "********** PHASE 4: ATTACK ALGORITHM" 
secret.mod.qO 

result = alg2(10000,quickflag) 
print "Result of Algorithm 2:", result 
print "Time for Phase 4: ", timer.stopO 
if result == True: 

count.successes = count.successes + 1 

print ", count.successes, " out of ", trialnum+1, " successes so far. *"♦ 

totaltime = timer2. stopO 

print "Total time for ", trialnum+1, "trials was ", totaltime 
return count.successes 


A. 2. Sage code for Algorithm 3. The following Sage Mathematics Software [S] algorithm 
returns the largest prime q for which a polynomial / has a root of order m modulo q. 

X = PolynomialRing(RationalField(), ’xO.genO 
def findq(f,m): 
g = x~m-l 
xg = f.xgcd(g) 
cofs = xg[2] .coefficientsO 
dens = [ a.denominator0 for a in cofs ] 
facs = lcm(dens).factor 0 
return max([fac[0] for fac in facs ]) 
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